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1. INTRODUCTION 

1.1 Quantum Engineering 

As pointed out by Dowling and Milburn [10], we are currently in the midst of a second 
quantum revolution: transition from quantum theory to quantum engineering. The aim of 
quantum theory is to find fundamental rules that govern the physical systems already exist- 
ing in the nature. Instead, quantum engineering intends to design and implement new sys- 
tems (machines, devices, etc) that do not exist before to accomplish some desirable tasks, 
based on quantum theory. Experiences in today's engineering indicate that it is not guar- 
anteed that a human designer completely understands the behaviors of the systems she/he 
designed, and a bug in her/his design may cause some serious problems and even disasters. 
So, correctness, safety and reliability of complex engineering systems have attracted wide 
attention and have been systematically studied in various engineering fields. As is well- 
known, human intuition is much better adapted to the classical world than the quantum 
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world. This implies that human engineers will commit many more faults in designing and 
implementing complex quantum systems. Thus, correctness, safety and reliability problem 
will be even more critical in quantum engineering than in today's engineering. 

1.2 Model-Checking 

In the last four decades, computer scientists have systematically developed theories of 
correctness and safety as well as methodologies, techniques and even automatic tools for 
correctness and safety verification of computer systems; see for example [24], [26], [1]. 
Model-checking is an effective automated technique that checks whether a formal (tem- 
poral logic) property is satisfied in a formal model of a system. It has become one of the 
dominant techniques for verification of computer systems nearly 30 years after its incep- 
tion. Many industrial-strength systems have been verified by employing model-checking 
techniques. Recently, it has also successfully been used in systems biology; see [16] for 
example. 

1 .3 Model-Checking Quantum Systems 

A question then naturally arises: is it possible and how to use model-checking techniques 
to verify correctness and safety of quantum engineering systems? It seems that the cur- 
rent model-checking techniques cannot be directly applied to quantum systems because of 
some essential differences between the classical world and the quantum world. To develop 
model-checking techniques for quantum systems, at least the following two problems must 
be addressed: 

— The classical system modeling method cannot be used to describe the behaviors of quan- 
tum systems, and the classical specification language is not suited to formalize the prop- 
erties of quantum systems to be checked. So, we need to carefully and clearly define a 
conceptual framework in which we can properly reason about quantum systems, includ- 
ing formal models of quantum systems and formal description of temporal properties of 
quantum systems. 

— The state spaces of the classical systems that model-checking techniques can be applied 
to are usually finite or countably infinite. However, the state spaces of quantum systems 
are inherently continuous even when they are finite-dimensional. In order to check quan- 
tum systems, we have to exploit some deep mathematical properties so that it suffices 
to examine only a finite number of (or at most countably infinitely many) representative 
elements, e.g. those in an orthonormal basis, of their state spaces. 

1 .4 Previous Works 

There have been quite a few papers devoted to model-checking quantum systems. Almost 
all of the previous works target checking quantum communication protocols. For example, 
Gay, Nagarajan and Papanikolaou [14] used the probabilistic model-checker PRISM [23] 
to verify the correctness of several quantum protocols including BB84 [5]. Furthermore, 
they [15], [28] developed an automatic tool QMC (Quantum Model-Checker). QMC uses 
the stabilizer formalism [17] for the modeling of systems, and the properties to be checked 
by QMC are expressed in Baltazar, Chadha, Mateus and Sernadas' quantum computation 
tree logic [3], [4]. But as we shall see below, both the motivations and approaches of the 
works mentioned are very different from those of this paper. 
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There are other two related research lines of verifying the correctness of quantum sys- 
tems in the previous literature: (1) quantum process algebras [13], [19], [11], [37], [12], 
[36], and (2) quantum simulation, see [25] for example. They are pursued by computer 
scientists and physicists, respectively. All works in these two lines have not employed 
model-checking techniques. 

1.5 Design Decision of the Paper 

Our purpose is to develop model-checking techniques that can be used not only for quan- 
tum communication protocols but also for other quantum engineering systems. To this end, 
first of all, we must address the first problem raised in Subsec. 1.3. This paper is merely 
one of the first steps toward such a general purpose. So, we choose to consider a simple 
formal model as well as a class of simple properties of quantum systems to be checked. 
More precisely, the major design decision of this paper is as follows: 

— A quantum automaton [22] is adopted as the model of the system. This is obviously 
reasonable since classical automata (or equivalently transition systems) are the common 
system models in classical model-checking. 

— Only linear-time properties of quantum systems are checked in this paper. They are 
defined to be infinite sequences of sets of atomic propositions, as in the classical case. 
But atomic propositions about quantum systems are essentially different from those for 
classical systems. Certain closed subspaces of the state (Hilbert) space of the system are 
chosen as atomic propositions about the system. The idea of viewing closed subspaces 
of (equivalently, projections on) a Hilbert space as propositions about a quantum system 
can be traced back to Birkhoff and von Neumann [6], and has been widely accepted in 
the quantum logic community for more than 70 years. 

1 .6 Contribution of the paper 

Overall, automata-based model-checking techniques [32], [21] are generalized into the 
quantum setting. The key idea of the automata-based approach to model-checking is that 
we can use an auxiliary automaton to recognize the properties to be checked, and then it 
is combined with the system under checking so that the problem of checking the safety 
or a;— properties of the system is reduced to checking some simpler (invariant or persis- 
tence) properties of the larger system composed by the system under checking and the 
auxiliary automaton. A difference between the classical case and the quantum case de- 
serves a careful explanation. In the classical case, the auxiliary automaton can be any finite 
state automaton, whereas in the quantum case, such an auxiliary automaton is required to 
be reversible; otherwise it cannot be a part of a quantum system because the dynamics of 
a quantum system is inherently reversible. Since some regular and lu— regular languages 
cannot be recognized by reversible automata [29], [30], the class of properties that can be 
checked by the techniques developed in this paper is a proper subclass of that by classi- 
cal model-checking techniques (if we ignore the difference between classical and quantum 
atomic propositions). 

The major technical contribution of this paper is a solution to the second problem raised 
in Subsec. 1.3. This solution consists of the following steps: 

(1) Under an assumption about commutativity of atomic propositions, we show that to 
check an invariant of a quantum automaton, it suffices to examine its behaviors start- 
ing in an orthonormal basis of the space of its initial states. Thus, an algorithm for 
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checking invariants of quantum automata can be developed since there are only a fi- 
nite number of elements in a basis of a finite-dimensional state space. 

(2) Under the same assumption, it is shown that a quantum automaton satisfies a persis- 
tence property if and only if it satisfies a corresponding invariant. This is very different 
from the classical case, and at the first glance it is quite strange. However, such an 
equivalence between invariants and persistence properties is reasonable because the 
operations of quantum automata are always reversible. 

(3) We show that the reduction from safety and u— properties of the system under check- 
ing to invariants and persistence properties of the composed system stated above is 
feasible if the composed system always starts in an orthonormal basis of the space of 
its initial states. 

(4) Fortunately, we can choose a set of atomic propositions about the composed system 
that enjoys the required commutativity. This enables us to connect 1), 2) and 3) seam- 
lessly. It is worth noting that one of the main technical difficulties in quantum model- 
checking is to find a way in which such a connection is effective. Indeed, this connec- 
tion heavily depends on some profound properties of Hilbert spaces, e.g. implication 
from commutativity to distributivity in the lattice of closed subspaces of a Hilbert 
space. However, this connection works automatically and so was not a problem at all 
in the classical case. 

1 .7 Organization of the Paper 

In Sec. 2, we recall some basic notions from quantum theory as well as the definition 
of quantum automata from [22] for convenience of the reader. In Sec. 3, a language for 
specifying linear-time properties of quantum systems is defined. Several important classes 
of linear-time properties of quantum systems are examined, including safety, liveness, in- 
variant and persistence properties. An algorithm for checking invariants of a quantum 
automaton is presented in Sec. 4. The techniques for model-checking safety properties 
and oj— properties of quantum systems are presented in Sec. 5 and 6, respectively. A brief 
conclusion is drawn and some problems for future studies are pointed out in Sec. 7 

2. QUANTUM SYSTEMS AND THEIR BEHAVIORS 
2.1 Hilbert Spaces 

According to a basic postulate of quantum mechanics, the state space of an isolated quan- 
tum system is a Hilbert space. In this paper, we only consider finite or countably infinite- 
dimensional Hilbert spaces. For convenience of the reader, we briefly recall some basic 
notions from Hilbert space theory. We write C for the set of complex numbers. For each 
complex number c G C, c stands for the conjugate of c. An inner product over a complex 
vector space H is a mapping (-|-) : H x H — >• C satisfying the following properties: 

(1) ((p\f) > with equality if and only if \ip) = 0; 

(2) = (V#)";and 

(3) (</?|ciV>i + c 2 ip2) = ci(^#i) + c 2 ((p\ip 2 ) 

for any \<p), \ip), \ipi), \ip2) E H and for any c\,ci € C. Sometimes, we write (\<p), \tp)) 
for the inner product {<p\ip). Two vectors \(p),\ip) in H are said to be orthogonal and we 
w rite \<p) _L \tp) if (ip\ip) = 0. For any vector \tp) in H, its length \\ip\\ is defined to be 
\/W#>- If I Ml = 1. th en \ip) is called a unit vector. 
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Let H be an inner product space, {|V>n}} a sequence of vectors in H, and \ip) G H. If 
for any e > 0, there exists a positive integer N such that | \ip m — ip n \ \ < e for all m,n> N, 
then {IV'n)} is called a Cauchy sequence. If for any e > 0, there exists a positive integer N 
such that \ \tp n — < e for all n > N, then \ip) is called a limit of {l^n)} an d we write 
\ip) = lim„^co \ip n )- A Hilbert space is a complete inner product space; that is, an inner 
product space in which each Cauchy sequence of vectors has a limit. A state of a quantum 
system is usually described by a unit vector in a Hilbert space. 

A sequence {IV'n}} of vectors in H is summable with the sum \ip) and we write \ip) = 
J2n IVO if f° r anv e > there is nonnegative integer n such that 

11^- XI ^"'H < 6 

for every n > n a . A finite or countably infinite family {\ip n }} of unit vectors is called an 
orthonormal basis of H if 

(1) \ipm) -L IV'rt) for an Y m , with m ^ n; and 
(2) 

n 

for each |^>) G H. 

Let X C iJ. If we have \<p) + \ip) e X and c\<p) G X for any \<p), \ip) G X and c G C, 
then X is called a subspace of H. For each X C H, the closure X of X is defined to be 
the set of limits lim„_ i . 00 \ip n ) of sequences {IV'n)} in X. A subspace X of a Hilbert space 
H is said to be closed if X = X. For any subset X of H, we define spanX to be the 
smallest closed subspace of H. Let X be a closed subspace of H and |V>) G H. Then we 
write \tp) _L X whenever |V>) -L |</?) for all |<p) G X. The ortho-complementation of X is 
defined to be 

X 1 - = {\tp) G H\\v) JL X} 

For each G i?, there exist uniquely |V>o) € an d IV'i) £ such tnat IV') = IV'o) + 
The vector IV'o) is called the projection of \if>) onto X and written IV'o) = Px\^)- 
Thus, an operator Px on if is defined and it is called the projector onto X. 

A (linear) operator on a Hilbert space H is a mapping A : H — > H satisfying the 
following conditions: 

(1) A(\ v ) + m = A\ v ) + A\^); 

(2) A(A|V)) - \A\il>) 

for all \ip), \ip) G H and A G C. The identity operator on H is written as Ih- For any 
subset X of H and operator A on if, the image of X under A is denoted by 

AX = {A\ip)U) £4 
For any operator A on H, if there exists a linear operator A^ on 7? such that 

(\< P ),A\i,)) = (Ai\ i p),m 

for all \ip), \ip) G -ff, then A^ is called the adjoint of A. An eigenvector of an operator A 
on is a non-zero vector \ip) G if such that A\ip) = \\tp) for some A G C, called the 
eigenvalue of A corresponding to \ip). 
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The state space of a composed quantum system is the tensor product of the state spaces 
of its component systems. Let Hk be a Hilbert space with orthonormal basis {|</?i fc } for 
1 < k < n. Then the tensor product <S> r /,=i ^k is defined to be the Hilbert space with 
{ | ) . . . | (fi n ) } as its orthonormal basis. If Ak is a linear operator on Hk for 1 < k < n, 
then the tensor product <S>2=i ^ k * s tne °P erator on ®fe = i Hk defined by 



U fe (|Vl)...|Vn)) = (^l|V'l»-(^|V'n» 
fe=l 

for all \ip k ) eH k (l<k< n). 

2.2 Dynamics of Quantum Systems 

An operator [Zona Hilbert space H is called a unitary transformation if WlJ = Ir- 
The basic postulate of quantum mechanics about evolution of systems may be stated as 
follows: Suppose that the states of a closed quantum system at times to and t are \ipo) 
and \ip), respectively. Then they are related to each other by a unitary operator U which 
depends only on the times t and t: 

|V> = u\ih). 

2.3 Quantum Automata 

As the first step toward to developing model-checking techniques for quantum systems, we 
choose to consider a class of simple quantum systems whose discrete-time behaviors can 
be modeled by quantum automata [22]. 

DEFINITION 2.1 . Let H be a Hilbert space with orthonormal basis {\i)}. A quantum 
automaton in H is a triple 

A = (Act, {U a \a e Act}, I) 

where 

(1) Act is a set of action names; 

(2) for each a S Act, U a is a unitary operator on H, that is, it is a linear operator, written 
as 

u a \i) = Y j u a {i,j)\j), 



such that 



^2u a (j,ii)U a (i 2 ,j) 

3 

(3) I is a closed subspace of H, the space of initial states. 



1 if i x = i 2 , 
otherwise; 



A path of A is an infinite sequence | V^o) I V^i ) I "02 } of states in H such that |^ ) £ I, 

and 

\lpn+l) = U an \^ n ) 

for some a n G Act, for all n > 0. This means that a path starts in an initial state |i/>o), 
and for each n > 0, at the beginning of the nth step the machine is in state \tp n ), then 
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it performs an action described by U an and evolves into state \ip n+ i). Likewise, a path 
fragment of A is a finite sequence \ipo)\ipi)...\ip n ) such that \ip ) G / and 

\ipk+i) = U ak i) k ) 

for some at € Act, k = 0, 1, ...,n — 1. Let |^>) G / and let \ip) be a state in H. We 
say that \ip) is reachable from \ip) in A if A has a path fragment \ipo)\ipi)...\ip n ) such that 
|^o) = \i>) and |i/; n ) = \ip). We put 

i?(A) = {|V')II' ! /'} is reachable from some |</>) G /}. 

and define RS(A) to be the closed subspace generated by R(A), that is, RS(A) — spanR(A). 
The following lemma gives a simple characterization of RS(A). 

LEMMA 2.1 . RS(A) is the intersection of all closed subspaces X of H satisfying the 
following conditions: 

(1) IQX; 

(2) U a X C X for all a G Act. 

In other words, RS(A) is the smallest one among all of these X. 
Proof. Straightforward. □ 

3. LINEAR-TIME PROPERTIES OF QUANTUM SYSTEMS 
3.1 Atomic Propositions in Quantum Systems 

Let H be the state space of a quantum system. A closed subspace of H will be seen as 
an atomic proposition about this system; more precisely, we will mainly consider the basic 
properties of the system of the form: \ip) G X, where X is a closed subspace of H, and 
is a state of the system. So, for a closed subspace X of H, atomic proposition represented 
by X specifies a constraint on the behavior of the system under consideration that its state 
is within the given region X. This viewpoint of atomic propositions about a quantum 
system was proposed by Birkhoff and von Neumann a long time ago, and it is exactly the 
starting point of their quantum logic [6]. It was also adopted in one of the authors' studies 
on predicate transformer semantics [38] and automata theory based on quantum logic [35] 
We write S{H) for the set of closed subspaces of H. Some basic (atomic) propositions 
are of interest, but others may be irrelevant in a special situation. So, we choose AP C 
S(H). Intuitively, the elements of AP represents the atomic propositions of interest. For 
each \ip) G H, we write L(\ip)) for the set of atomic propositions satisfied in state \ip); that 
is, 

L(\i,)) = {Xe APU) EX}. 
DEFINITION 3.1. Let X G S{H). Then we say that state \tp) satisfies X, written 

M h x, if 

n y ^ x - 

YeL(W) 

Note that in the above definition X is allowed to be not in AP. The intuitive meaning 
of the inclusion in the above definition is that the atomic propositions that hold in state \ip) 
imply collectively proposition X. 

The following simple example provides a clear illustration of the above definition. 
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EXAMPLE 3.1. Let H be an n— dimensional Hilbert space with orthonormal basis 
{|0>, |1>, \n - 1)} (n > 2), and let |V>) = ^ (|0) + |1». 

(7) If we takeAP = {Y G S(H)\\0) _L Y}, then L{\ip)) = and 

n 

Thus, for any X G S(H), \= X if and only if X = H. 

(2) Let AP = {2 — dimensional subspaces of H}. For the case ofn = 2, we have 

n y=* 

YeL(W) 

and \ip) \= X if and only if X — H. For the case ofn > 2, 

p| Y = S pan{\iP)}, 

and \ip) \~ X if and only if\ip) E X. 

(3) IfAP ={Ie S(H)\\2) G X}, then 

f) Y = S pan{\iP),\2)}, 
YeL(W) 

and\ip) \=Xifandonlyif\ip},\2) G X. 

We now present a technical lemma which will be frequently used in what follows. Recall 
that for a finite family {Xi} of closed subspaces of H, we define the join of {Xi} by 

\J X i = span{{JX i ). 

i i 

In particular, we write X V Y for the join of two closed subspaces X and Y of H. 
LEMMA 3.1. Suppose that AP satisfies the following two conditions: 

(1) Any two elements Z\ , Z2 of AP commute; that is Pz 1 Pz 2 = -Pzi Pz 2 > where Pz 1 , Pz 2 
are projections onto Z\ and Z<i, respectively, and 

(2) AP is closed under join: if Zi,Z 2 G AP, then Z x V Z 2 G AP. 

LetY be a closed subspace of H with {\ipi)} as its basis. Then the following two statements 
are equivalent: 

(7) |0 \=Xforall\0 eF; 
(2) \tpi) \= X for alii. 

PROOF. It is obvious that 1) implies 2). Now we show that 2) implies 1). For any 
10 G Y, we can write 

iei 
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for a finite index set I and for some complex numbers a, (i e I) because {|^>»)} is a basis 
of Y. By the assumption that \ipi) |= X, we obtain: 

n z ^ x 

zei(|Vi» 

for all i G J. Therefore, it follows that 

v n 

ie/zeL(|v-«>) 

Since any two elements of AP commute, distributivity is valid among AP (see Proposition 
2.5 in [9]), and we have: 

v n z = n v*w- 

Therefore, we only need to show that 

n zc p| \/z{i). (i) 

In fact, for any 

by definition it holds that j^) e Z(«) for all i € 7. Then 

In addition, it is assumed that AP is closed under join. This implies 

\/z(i)eW)) 

iei 

and 

zeL(|V>» *e/ 
So, Eq. (1) is correct, and we complete the proof. □ 

3.2 Linear-Time Properties and Satisfaction 

Now the set AP of atomic propositions is fixed and we are going to define linear-time 
properties over AP. We write 

oo 

(2 Ap y - (J {2 AP ) n 

71=0 

for the set of finite sequences of subsets of AP and (2 AP ) LJ for the set of infinite sequences 
of subsets of AP, where co = {0, 1, 2, ...} is the set of natural numbers. It what follows, we 
will use elements of (2 AP ) U ' (or (2 AP )*) to represent the behavior of a quantum system. 
This design decision deserves a careful explanation. Let 

g = A A 1 A 2 ... £ (2 AP r (or (2 AP )*). 
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Each element A n (n > 0) is a closed subspace of the state space H of a quantum system. 
So, it can be seen as a quantum object. However, if we do not care elements of A n (n > 0) 
and focus our attention on a itself, then a is a classical object. Here, we can imagine that 
two levels exist in a: object logical level and meta-logical level. The object logical level is 
the objects under consideration, so it belongs to the quantum world. On the other hand, the 
meta-logical level is the way in which we (human beings) reason about the quantum world, 
so it is reasonably defined to be a classical object. In the sequel, we will see that the study 
of the behavior of a quantum system at the meta-logical level is similar to the classical case, 
but the study at the object logical level is very different because some essential differences 
between the quantum world and the classical world will irreversibly appear. 
For a path n — |V'o)IV , i}|V'2)--- m a quantum automaton A, we write 

m = m,))m l ))m 2 ))...^{2 Ap r. 

Similarly, if tt — \ tp ) | ipi ) . . . \ ip n ) is a path fragment in A, then we write 

L(tt) = L(|^))L(h&i))...L(|iM). 

DEFINITION 3.2. The set of traces and the set of finite traces of a quantum automaton 
A are defined as follows: 

Traces(A) = {L(tt)\it is a path in A}, 
Traces fi n (A) = {_L(7r)|7r is a path fragment in A}. 

Obviously, Traces(-) and Traces /»„(•) describes the infinite and finite behaviors, re- 
spectively, of quantum automatons. Note that what concerns us in this paper are only 
linear-time behaviors of quantum systems since the behaviors of a system is depicted in 
terms of sequences. In the future studies we will also consider branching-time behaviors 
represented by trees instead of sequences. But the branching-time behavior of a quantum 
system is much more complicated than its classical counterpart due to the superposition 
posibility of quantum states. 

A (linear-time) property of a quantum automaton A in Hilbert space H is then defined to 
be a subset P of (2 AP ) UJ ; in other words, an element of Pis an infinite sequence A0A1A2... 
such that A n is a subset of AP for all n > 0. A property P specifies the admissible behav- 
iors of machine A: if AqA\A 2 ... 6 P, then a path 7r = Itpojlipi}^}--- of A is admissible 
whenever \ip n ) satisfies all the atomic propositions in A n for all n > 0; otherwise the path 
7r is prohibited by P. 

Now we are ready to define the key notion of satisfaction of a property by a quantum 
system. 

DEFINITION 3.3. We say that a quantum automaton A satisfies a linear-time property 
P, written A |= P, ifTraces(A) C P. 

3.3 Safety Properties 

In the remainder of this section, we consider several special classes of linear-time proper- 
ties. Safety is one of the most important kinds of linear-time properties. A safety property 
specifies that "something bad never happens" [24]. An elegant definition of safety property 
was introduced by Alpern and Schneider [1] based on the intuition that a "bad event" for a 
safety property occurs in a finite amount of time, if it occurs at all. Their definition can be 
naturally generalized to the quantum case by simply replacing atomic propositions about 
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a classical system with closed subspaces of a Hilbert space. Formally, a finite sequence 
a G (2 AP )* is called a bad prefix of a property P if crc £ P for all a G (2 AP ) W . We write 
BPref(P) for the set of bad prefixes of P. Letc? G (2 AP )* and cr G (2 AP ) W . If cr = oV 
for some cr' G (2 AP )", then cr is said to be a prefix of cr. 

DEFINITION 3.4. A property P is called a safety property if any a $ P has a prefix 
a G BPref(P). 

The following lemma gives a simple characterization of satisfaction relation between 
quantum systems and safety properties. 

LEMMA 3.2. For any quantum automaton A, and for any safety property P, A |= P if 
and only if 

Traces /m (A) n BPref(P) = 0. 

For any <7i, d 2 G (2 AP )*, if there is a G (2 AP )* such that o\ = a 2 a, then a 2 is called 
a prefix of o\ and we write a 2 E ^i. It is obvious that C is a partial order on (2 AP )* . 
We write MBPref(P) for the set of minimal bad prefixes of P, that is, minimal elements 
of BPref(P) according to order C . It is easy to see that BPref(P) in the definition of 
safety property and Lemma 3.2 can be replaced by MBPref(P). 

To conclude this subsection, we would like to point out that up to now our discussion on 
linear-time properties of quantum systems is almost the same as that for classical systems, 
e.g. the definition and characterization of safety property simply mimic their classical 
counterparts. However, some essential differences between classical and quantum systems 
will come out in the next subsection. 

3.4 Invariants 

A special class of safety properties are invariants. Invariants will play a key role in the ver- 
ification of safety properties for quantum systems. As in the classical case, the problem of 
model-checking a big class of safety properties will be reduced to the problem of checking 
invariants. 

DEFINITION 3.5. A property P is said to be an invariant if there exists a closed sub- 
space XofH such that 

P={A A 1 A 2 ...e{2 AP Y\ p| Y C X for all n > 0}. (2) 

YeA n 

Intuitively, the condition 

n y ^ x 

YeA„ 

in Eq. (2) means that the atomic propositions in A n together imply the proposition X. We 
will call P the invariant defined by X and write P = invX, and X is often called the 
invariant condition of invX. 

As a concrete example, we consider stabilizers [17], which have been widely used in 
quantum error-correction (see for example [27], Chapter 10) and measurement-based quan- 
tum computation [31] as well as multi-partite teleportation and super-dense coding [33; ?]. 

Example 3.2. We write 

H 2 = {a\0)+/3\l)\a,(3eC} 
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for the 2— dimensional Hilbert space. So, H 2 is the state space of a single qubit. A state of 
a qubit is a vector a |0)+/3|1) with \ot\ 2 + \(i\ 2 = 1. Let H = H 2 n be the tensor product of 
n copies of H 2 . Then it is the state space of n qubits. We write I 2 for the identity operator 
on H 2 . The Pauli matrices 

*-(!i)- y -(!7)-*-G-0 

are unitary operators on H 2 . The set 

d = {±I 2 , ±ih, ±X, ±iX, ±Y, ±iY, ±Z, ±iZ} 

forms a group with the composition of operators as its group operation. It is the Pauli 
group on a single qubit. More generally, the Pauli group on n qubits is 

G n = {A! <g> ... ® A n \A l7 ...,A n e G x } 

Now let S be a subgroup of G n generated by gi, gi. Recall that a state \ip) G Hf n is 
stabilized by S if g\tp) = \ip) for all g G S. We put Act = {a^ : k = 1, /}, U ak = gt 
for 1 < k < I, and I = span{\ip)}. Then 

A = (Act, {U a \a e Act}, I) 

is a quantum automaton. Suppose that AP contains all one -dimensional subspaces of H. 
If S is a stabilizer of \ip), then span{\ip)} is an invariant of A, i.e. A \= inv(span{\ip)}) . 
Conversely, if A \= inv(span{\tp)}), then S is a stabilizer of\ip) modulo phase shifts, i.e. 
for every g G S, we have g\ip) = e la \ip) for some real number a. 

Now we are going to give some conditions under which an invariant holds in a quantum 
automaton A = (Act, {U a \ct G Act}, I) with the state space H. First, we observe that 
A |= invX if and only if \ip) (= X for all states \ip) 6 R(A), that is, all states reachable 
from some state \ip) £ I. Note that the space / of initial states is a continuum. This is very 
different from the classical case where we usually only have finitely or countably infinitely 
many initial states. It will make that checking an invariant in a quantum system is much 
harder than that in a classical system. The following lemma shows that we only need to 
consider the states reachable from a basis of /, which is a finite set or at most a countably 
infinite set, under certain commutativity of elements of AP and closeness of AP for join. 

LEMMA 3.3. Suppose that the initial states of quantum automaton A are spanned by 
(IV'i)}, that is, I — span{\ipi}}, and suppose that AP is as in Lemma 3.1. Then A |= 
invX if and only if\ip) \= X for any state \ip) reachable in A from some \ipi), i > 1. 

PROOF. The "only if part is obvious. Now we prove the "if part. It suffices to prove 
the following: 

— Claim: If |£) |= X for all state |£) reachable from some \ipi), i > 1, then \ip) |= X for 
any state \ip) reachable from some state \ip) G /. 

In fact, for any \ip) El, we can write 

\ip) = ^(XilV'i) 
i 
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for some complex numbers cij because I = span{\ipi)} . If is reachable from \ip), then 
there are a\, a n £ Act, n > such that 

\1>) = U an ...U ai \ v >). 

We put 

\Si) = u an ...u ai \ 1 /> i ) 

for each i > 1. Then 

i 

and is reachable from It immediately follows from Lemma 3.1 that \tp) \= X 
provided that |= X for alH > 1. This completes the proof. □ 

The above lemma will play a key role in the proofs of the main results in this paper (The- 
orems 5.1 and 6.1 below). It is worth mentioning again that both of them appeal to a cer- 
tain commutativity of atomic propositions in AP. As is well-known, non-commutativity 
of observables is one of the most essential features that distinguish quantum systems from 
classical systems. So, the commutativity condition in these lemmas is very restrictive. 
Fortunately, atomic propositions dealt with in these theorems just automatically enjoy the 
required commutativity. 

The following simple corollary gives a sufficient condition for invariant, which meets 
our intuition of invariant of a system very well. 

COROLLARY 3.1. Suppose that AP satisfies the two conditions in Lemma 3.1, and 
suppose that I — span{\ipi)}. If 

(.1) \tpi) |= X for all i; and 

(2) U a Y C Y for all Y G AP and for all a G Act, 
then A |= invX. 

Proof. We first have the following: 
— Claim: \ip) \= X implies U a \ip) |= X for all a 6 Act. 
In fact, it follows from condition 2) that 

L(m) = {Y e AP\\1>) eY} 

c {Y e AP\\U a \xb) eY} = L(U a \iP)). 

Thus, if |V>) h x > then 

n yc n 

YeL(u a \ip)) YeHW) 

and U a \ip) \= X. Now the proof is completed by simply combining the above claim, 
condition ( 1 ) and Lemma 3.3. □ 

3.5 Liveness Properties 

Liveness properties are another important kind of linear-time properties that are in a sense 
dual to safety properties. A liveness property specifies that "something good will happen 
eventually" [24]. Alpern and Schneider's definition of liveness property [1] can be simply 
extended to quantum systems. 
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DEFINITION 3.6. A linear-time property P C (2 ) w is called a liveness property if 
for any a G (2 AP )* there exists a G (2 AP ) W such that da G P. 

Some interesting characterizations of liveness properties (see [2], Lemmas 3.35 and 3.38 
and Theorem 3.37) can be easily generalized to the quantum case because their proofs are 
only based on the upper structure of linear-time properties, which are entirely classical, 
and irrelevant to their bottom structure, namely the state spaces of quantum systems. 

Local unitary equivalence [20] is a key criterion for classification of multipartite entan- 
glements of which physicists are still far from a complete understanding. The following 
example shows that local unitary equivalence can be properly described in terms of live- 
ness. 

EXAMPLE 3.3. Suppose that H is a Hilbert space and H® n is the tensor product of n 
copies ofH. LetU be a set of unitary operators on H. It is unnecessary that U contains all 
unitary operators on H. The elements ofU can be understood as the operations allowed 
in the scenario under consideration. For any U 61/ and 1 < i < n, 

Ui = U®(g)I H 

is a unitary operator on H® n which performs U on the ith copy of H and does nothing 
on the other copies, where Ih is the identity operator on H. So, Ui can be seen as a 
local operation on H® n . For any two n— partite states \ip), G H® n , if there exists a 
sequence u\™^ of local operations such that 

then we say that \tp) and \ip) are locally U— equivalent. 

We can naturally construct a quantum automaton in H® n that starts in state \<p) and 
performs local U— operations: 

A= {H 9n ,Aa = {U i \U eU and 1 < i < n}, I = span{\^}}) 

Now we put 

P = {AoAiAi... G {2 AP Y\3n > O.A n = span{\iP}}} 

Obviously, P is a liveness property. It is easy to see that if \ip) and \ip) are locally 
U— equivalent, then A \= P. Conversely, if A \= P, then \ip) and\ip) are locally U— equivalent 
modulo phase shifts, i.e. 

|V>> = e-^.^V) 
for some real number a and local operations U-™\ 

3.6 Persistence Properties 

Persistence properties are a very useful class of liveness properties. A persistence property 
asserts that a certain condition always holds from some moment on. 

DEFINITION 3.7. A property P is called a persistence property if there exists X G 
S(H) such that 

P = {A A 1 A 2 ... e {2 AP y\3mS/n>m. f] Y C X} (3) 

YeA n 
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In this case that Eq. (3) holds, we say that P is the persistence property defined by X 
and write P = persX. 

As in the case of invariants, to check whether a persistence property is satisfied by a 
quantum automaton we have to consider the behaviors of the automaton starting in all ini- 
tial states which form a continuum. The next lemma indicates that it suffices to consider the 
behavior starting in some basis states of the space of initial states if a certain commutativity 
is imposed on the atomic propositions in AP. 

LEMMA 3.4. Let AP be as in Lemma 3.1. Suppose that I is finite-dimensional and 
I = span{\tpi), \4>k)}- Then A \= persX if and only if for each 1 < i < k, and for 
each path 

m = ico) ^ ici) ^ ic 2 ) ^ ... 

starting in a basis state there exists to > such that \( n ) \= X for all n > m. 

PROOF. We only need to prove the "if part. By Definition 3.7 it suffices to show that 
for any path 

\vo) -> \m) -> \m) -> - 

in A, where 1 770 ) £ I, we can find m > such that \r) n ) \= X for all n > m. 
Since 770) € I = span{\ipi), \ipk)}, we have 

fe 

\va) = ^a t \ip t ) 
i=i 

for some complex numbers a, (1 < i < k). Put 

Kij) = U aj ...U ai U ao \^ l ) 
for all 1 < i < k and j > 0. A simple calculation shows that 

fc 

i=l 

for all j > 0. On the other hand, for each 1 < i < k, we have the following transitions: 

m - ic<o> ^° lea) ^ Ki2> ^ - 

in A. By the assumption, there is > such that \( in ) \= X for all n > rrii. Let 
m = max*^ rrii. Then for all n > to, we have \( in ) |= X for all 1 < i < k and 



\Vn) = ^2a,\C m ). 



i=l 

By Lemma 3. 1 we obtain \r/ n ) \= X and thus complete the proof. □ 

Note that except the conditions assumed in Lemma 3.1, the above lemma also requires 
that the space of the initial states is finite-dimensional. This requirement is needed in the 
last step of the proof of the above lemma. 
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Lemmas 3.3 and 3.4 will play a key role in the proofs of the main results in this pa- 
per (Theorems 5.1 and 6.1 below). It is worth mentioning again that both of them ap- 
peal to a certain commutativity of atomic propositions in AP. As is well-known, non- 
commutativity of observables is one of the most essential features that distinguish quantum 
systems from classical systems. So, the commutativity condition in these lemmas is very 
restrictive. Fortunately, atomic propositions dealt with in these theorems just automatically 
enjoy the required commutativity. 

The above lemma requires that the space of the initial states is finite-dimensional, but 
the Hilbert space H can be infinite-dimensional. The following lemma indicates that per- 
sistence properties and invariants coincide whenever H is finite-dimensional. 

LEMMA 3.5. Suppose that H is finite-dimensional and AP is as in Lemma 3.1. Then 
A \= persX if and only if A \= invX. 

PROOF. The "if part is obvious. We now prove the "only if part. Assume that A |= 
persX and we want to show that A |= invX. It suffices to demonstrate that \tp) \= X for 
all \tp) G RS(A). Since H is finite-dimensional, we can find a maximal set { | ipi },..., | ?/>/}} 
of linearly independent states in RS(A). Then it should be a basis of RS(A). 

For each 1 < i < I, let \ipo)\(pi)...\(p n ) be a path fragment in A such that \(po) G / and 
\fn) = \ipi). We arbitrarily choose a unitary operator U G {t/«|a G Act} and set 

Wn+k) = U k \if n ) 

forallfc > 1. Then the path fragment \ip a )\(pi) ...\(p n ) is extended to a path \ip )\ipi) ...\ip n ) \ <p. 
in A. It follows from the assumption of A |= persX that there exists nii > with 

U k \^) = \ Vn+k ) hi 

for all k > rrii. Put m = max' =1 m^. Then U m \ipi) ^ X for all 1 < i < I. By Lemma 3.1 
we obtain that \ip) |= X for all 

|V) G span{U m \iP t )\l <i<l} = U m RS(A). 

By definition we have UR(A) C R(A) and thus URS(A) C RS(A). On the other 
hand, dim(URS(A)) = dim(RS(A) because U is a unitary operator. Then it follows that 
URS(A) = RS{A). Consequently, it holds that U m RS(A) = RS{A), and we complete 
the proof. □ 

We have a counterexample showing that the above lemma is not true in an infinite- 
dimensional Hilbert space H. 

EXAMPLE 3.4. Consider the space l 2 of square summable sequences: 

oo oo 

l 2 = { ^ oi n \n) : a n G C for all n and ^ | ct rl | 2 < oo}. 

n— — oo n— — oo 

The inner product in l 2 is defined by 

oo oo oo 

( ^ a n\ n )i Ot'\n)) = Y a n a 'n 

n— — oo n— — oo n— — oo 

for all a n ,a' n G C, — oo < n < oo. The translation operator U+ on l 2 is defined by 

U+\n) = \n+ 1) 
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for all n. It is easy to verify that U+ is a unitary operator. Let Act consist of a single 
action name +, Act = {+}, and I = span{ |0)}. Then A = {Act, {U a \a £ Act}, I) is a 
quantum automaton. Let k be an integer, and let 

[kj = span{\n)\n > k} 

and 

{k — 1] = span{\n)\n < k — 1}. 

Put AP = {[k), (k — 1], Z2}. Then AP satisfies the two conditions in Lemma 3.1. It is easy 
to see that A |= pers[k) but A |= inv[k) does not hold provided k > 0. 

4. ALGORITHMS FOR CHECKING INVARIANTS 

In this section, we present an algorithm for checking invariants of a quantum automaton 
A = (Act, {U a \a E Act}, I) in a finite-dimensional state space H. The design of this 
algorithm is based on Lemma 2.1 and the following observation: if ...\ipi)} is a 

basis of RS(A), then A |= invX if and only if \i[>i) \= X for all 1 < i < I. The last 
condition can be checked by a forward depth-first search. 



Algorithm: Invariant checking. 
Input: 

(1) The set {U a \a G Act} of the unitary operators in A; 

(2) A basis { | "01 ) , \ip2), IV'fe)} of the space I of initial states; 

(3) A subspace X of H. 

Output: true if A |= invX, otherwise false. 

set of state B := <f>; (*a basis of RS(A)*) 

stack of state S := e; (*the empty stack*) 

bool b :— true; (*all states in B satisfy X*) 

for i = 1, 2, • • • , k do 

B := B U {|^)}; (*initial states are reachable*) 
push(\ipi), S); (*start a depth-first search with initial states*) 
b := b A (\ipi) \= X); (*checkif all initial states satisfy X*) 

od 

while A S ^ <j>) do 

IV') := top(S); (*consider a reachable state*) 

pop(S); 

for all a e Act do 

£} := U a \ip)', (*get a candidate state*) 
b := b A (|0 h X); (*check if X is satisfied*) 
if 6 A |0 ^ spanB then (*check if it has not been considered*) 
B := B U (*extend i? by adding new reachable states*) 

push(\o,sy, 

a 

od 
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od 

return b 

4.1 Analyzing the Algorithm 

First, we observe that a candidate state |£) G spanB would not be added into B. So 
the elements in B are always linear independent, and thus there are at most d = dim H 
elements in B. Furthermore, note that a state would be pushed into S if and only if it has 
been added into B. Then S would become empty after popping at most d states. This 
implies that the algorithm terminates after at most d iterations of the while loop. 

Second, it is easy to check that all elements in B are always reachable. In fact, the 
initial states \ipi) are reachable, and if some \tp) G B is reachable, then all candidate states 
10 = U a \tjj) are reachable. So, if an execution of the algorithm returns false, then there 
must be a reachable state 1^} or some candidate state |£) that does not satisfy X. 

If the output is true, then according to Lemma 3.1, all states in B, further in spanB, 
satisfy X. Therefore, the correctness of the above algorithm comes immediately from the 
following: 

Lemma 4.1. RS(A) C spanB. 

PROOF. We only need to check that spanB satisfies the conditions 1) and 2) in Lemma 2. 1 . 
Condition 1) is satisfied as \ipi) G B for all 1 < i < k. Note that for any \ip) G B and any 
a G Act, U a \ip) was a candidate state at sometime, and then either U a \tp) G spanB or it 
would be added into B. So we always have U a \ip) G spanB. Consequently, 

U a (spanB) = span(U a B) C span(spanB) = spanB 

and condition 2) is also satisfied. □ 

The algorithm is not feasible enough in practice although it has been proved to be theo- 
retically correct as above. The reason is that different from the classical case where only a 
finite number of states are involved, the state space here is continuous, thus a state cannot 
be exactly record with a finite storage space. Then errors would be brought and accumu- 
lated during the excution, and make the result to be unstable. For example, the truth value 
of |£) G" spanB is quite sensitive to the error of |£) in our algorithm, so even a little error 
here may change this value and then change the excution of the algorithm a lot. 

4.2 Improving the Algorithm 

In this subsection, we show that the above algorithm can be dramatically improved when- 
ever the unitary operator U a has no degenerate eigenstates for every a G Act; more pre- 
cisely, in this case, invariant checking of the quantum automaton A can be reduced to a 
problem of classical invariant checking. 

First, we observe that RS(A) satisfies condition 2) in Lemma 2. 1 and it can be rewritten 
as U a RS(A) = RS(A), or equivalently, 

UaPRS(A) = PRS(A)U a , 

where Prs(a) is the projection onto RS(A), whenever H is finite-dimensional. On the 
other hand, each U a can be uniquely eigen-decomposed and thus has exactly d eigenstates. 
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Let A be an eigenvalue of U a and \ip) be the corresponding eigenstate. Then 

U a (P RSW m - (U a P RS{ A)M) = (Prs(a) U a )\ip) 

So, Prs(a)H) oc \ip) and 

P R S(A) ± m = W)-P R S(A ) m<x\Tp)- 

We have P RS (A) \ip) = or P R s(a) ± |V') = since 

(iI>\Prs{X)P^3 W \^)=0- 

Thus, every eigenstate of U a should be in RS(A) or in RS(A)- 1 . 
Recall that a transition systems is a 6— tuple 

TS C = {Sc,Actc,^c,Ic,APc,L c ), 

where 

(1) Sc is a set of (classical) states; 

(2) Actc is a set of the names of (classical) actions; 

(3) -^c^= Sc x Actc x Sc is a transition relation; 

(4) Ic C 5c is a set of initial states; 

(5) APc is a set of (classical) atomic propositions; and 

(6) Lc : 5c -»• 2 APc is a labeling function. 

We now construct a transition system TSc from the automaton A = (Act, {U a \a £ 
Act}, I) as follows: 

(1) Sc = {tp\\ip)is an eigenstate of U a for some a £ Act}, where each element ip in 
Sc is regarded as the (classical) name of the corresponding quantum state \ip); 

(2) Actc = { T } consists of only one element r; 

(3) ^c={(^t,0)|(^|0) ^0}; 

(4) ic = {i J € 5c| 1^) is nonorthogonal to /}; 

(5) APc = {ftyl ^ € 5c}, where for each t/> G 5c, the atomic proposition^ is defined 
as follows: ip \= if and only if <p = ip for all tp £ Sc', and 

(6) Lc(V0 = {Pvlforall^ G 5 C . 

Next, for each closed subspace X of Hilbert space H, we define a corresponding classi- 
cal invariant property P{ nv over APc as follows: 

P i7TO - {A AiA 2 ... £ (2 APc Y\A n h $ for all n > 0} 



where the invariant condition is 



* = V p f 



Furthermore, put 

R{TS C ) = {ip £ S c \ip is a reachable state of TS C }- 
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Then we have: 

TS C h Pinv W> e R(TS C ), 1> h $ 
«*• W> e i2(TS c ), |V) h^- 

Now we achieve our goal by showing the following: 
Lemma 4.2. A |= invX if and only if TS C \= Pinv 

PROOF. Let RS(TSc) be the subspace of H spanned by the states \ip) such that ip is 
reachable in TSc', that is, 

RS(TS C ) = span{m^ e R(TS C )}- 

We have seen that A |= invX if and only if |= X for all |^) £ RS(A). Therefore, 
according to Lemma 3.1 and Eq. (4), we only need to show that RS(A) = RS(TS). 

First, We demostrate that RS{TS C ) Q RS(A). If \ip) e R{TS C ), then \ip) is a eigen- 
state of some [/ a and thus is either in RS(A) or in RS(A)- 1 -. To show that \ip) e RS(A), 
we only need to prove that it is nonorthogonal to RS(A). This can be done by an induc- 
tion. For any tp G Ic, \ip) is nonorthogonal to I and thus is nonorthogonal to RS(A). If 
\ip') e RS(A) and V> is a successor of V>' in TSc, then it holds that (ip' \ip) ^ 0, and \ip) is 
nonorthogonal to RS(A). 

Second, we prove that RS(A) C RS(TS C )- It suffices to verify that RS(TS C ) satisfies 
the two conditions in Lemma 2.1. We observe that (?/>|</>} = for any ip 6 R(TSc) and 
for any cp€S c \ R(TS C ), and span{ |^)|^ G <S C } = ff. Therefore, 

RSiTSc) 1 - = span{|V)|V G Sc \ fl(TS c )}. 

Notice that ?/> _L / for all ip £ Sc \ R(TS C ). Thus, I _L i?5(TS , c )- L , and I C RS(TS C )- 
So the condition 1) in Lemma 2.1 is satisfied. On the other hand, for any a 6 Act, assume 
that IV'ai), IV^), • • • , \ipad) are the all eigenstates of U a , where the first r states are in 
R(TSc) and the other d — r ones are in RS(TSc) ± - Since these states are pairwise 
orthogonal, we have r < dim RS(TSc) and 

d-r < dim RS (TSc) 1 - = d - dim RS(TS C ). 

Thus,r = dim RS(TS C )- It means that {|V>ai>, |^ a 2>, ■•• , |Vw)} is a basis of RS(TSc)- 
Now, for any |V) G RS(TS C ), let 

We have 

LyV} = ^/^IVO G RS(TS C ), 

i<r 

where A ai is the corresponding eigenvalue of | ip ai ). Therefore, U a RS(TSc) Q RS(TSc), 
and the condition 2) in Lemma 2. 1 is also satisfied. □ 

The above lemma allows us to adopt the algorithms for checking invariants of (classi- 
cal) transition systems, e.g. Algorithms 3 and 4 presented in [2], pages 109 and 110, to 
check invariants of quantum automata in which all unitary operators have no degenerate 
eigenstates. 
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5. MODEL CHECKING REVERSIBLE SAFETY PROPERTIES 

One of the major techniques for verification of linear-time properties is automata-based 
model-checking [32; ?]. This approach can reduce the problem of verifying a large class 
of linear-time properties to checking some specific properties for which algorithms are 
known. This section generalizes it to the quantum setting and establishes a reduction from 
verifying regular safety properties of quantum automata to checking their invariants, for 
which an algorithm was given in the last section. In this section and the next, we always 
assume that the Hilbert space H is finite-dimensional. 

5.1 Reversible Automata 

The key idea of automata-based model-checking is to combine the system under consid- 
eration with an automaton that recognizes the property to be checked. Since the evolution 
of (closed) quantum systems is essentially reversible, it is reasonable to employ reversible 
automata in model-checking quantum systems. 

Recall that a nondeterministic finite automaton (an NFA for short) is a quintuple 

A=(Q,X,{A \AeV},Q ,F), 

where Q is a finite set of states, E is an alphabet of input symbols, — > C Q x Q is a 
transition relation for each A e E, Qo C Q is the set of initial states, and F C Q is the set 
of final states. A word w over alphabet E is a finite string of elements of E, i.e. 

oo 

w G E* = (J E". 

n=0 

A language over E is a subset of E*. A word w = AiA 2 ...A n is accepted by A if there 
are q G Q , qi, ...,q n -i G Q and q n G F such that 

1o -4 qi -4 ...q n -i -4 g n . 

The language £(.4) accepted by A is defined to be the set of the words accepted by A. A 
language over E is called regular if it can be accepted by an NFA. 

An NFA is called a deterministic finite automaton (DFA for short) if Qo is a singleton 

A A 

and there are no pairs of transitions of the form q — > q\ and q — > q 2 with qi ^ q 2 . Dually, 
an NFA is said to be co-deterministic if F is a singleton and there are no pairs of transitions 

A A 

qi — > q and q 2 — > q with q\ ^ q 2 . 

Reversible automata and the languages accepted by them have been thoroughly studied 
in [29], [30]. Here, we only recall the definition of reversible definition for convenience of 
the reader. 

DEFINITION 5.1. An NFA A = (Q, E, {A \A G E}, Q , F) is said to be reversible if 

A A 

there are no pairs of transitions of the form q — > qi and q — > q 2 with q\ ^ q 2 , and there 

A A 

are no pairs of transitions q\ — > q and q 2 — > q with q\ ^ q 2 . 

5.2 Products of Quantum Automata and Reversible Automata 

Let A = {Act, {U a \a G Act}, I) be quantum automaton in Hilbert space H. We can 
choose an orthonormal basis of I and then expand it to an orthonormal basis {|V>i)} of H; 
in other words, we can choose an orthnormal basis {|^>i)} of H so that {IV'^IIV'i} <= 1} 
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is an orthnormal basis of I. On the other hand, let AP C S(H) be a finite set of atomic 

propositions, and let E = 2 AP . Suppose that A = (Q, E, {A \A e E}, Q Q , F) be a co- 
deterministic finite state automaton. It is asumed that Q nf = 0. For each A 6 E = 2 AP 
and for each q e Q, we write 

succ(q, A) = {Y G Q|q 4> q' in „4}. 

Then both succ{q, A) = and |succ(g, A) > 1 are possible. Whenever succ{q, A) ^ 0, 
we can choose an element q' Q e succ(q, A). In particular, for the case of succ(q, A) n F ^ 
0, we always choose q' Q 6 F. Then we define 5(q, A) = q' Q . For the case of succ(q, A) = 0, 
S(q, A) is undefined. Thus, we define a partial function: S : Q x E — >• Q. 
We write 

Pf Q = span{ £ Q} 
for the Hilbert space with {\q)\q E Q} as its orthonormal basis. For each n, we put 

Qi = {qGQ\succ(q,L(\iP i )))^^}. 
Since A is co-deterministic, we have 

\{6(q,L(\il> i )))\q€Q i }\ = \Q i \. 

Thus, there is a bijection 

K:Q\Q i ^Q\{8(q,L(\ip i )))\q£Q i }. 
For each a e Aci, we can define linear operator 14 on Hilbert space H ® £2q as follows: 

'(Ua|^i))|%,£(Ua|^)))> 

^(U a \tpi))\K(q)) otherwise 

for all i and for all q e Q. It is easy to verify that V a is a unitary operator by the assumption 
that A is co-deterministic. 

DEFINITION 5.2. The product of A and (a profile of) A is defined to be the quantum 
automaton 

h®A= {Act, {V a \a e Act}, I) 
in Hilbert space H ® Hq, where 

I = span{ | ipi) \q)\ basis state \ipi) G / 

and go — > qm A tor some go S Qof 
z's a closed subspace of H ® PTq. 

5.3 Reversible Safety Properties 

Now let P be a safety property over AP. Then the set BPref(P) of bad prefixes of P is 
a language over alphabet E = 2 AP . If it is a regular language, then P is called a regular 
safety property. For a regular safety property P, there exists an NFA accepting BPref(P). 
The subsets construction in automata theory shows that BPref(P) can be accepted by a 
DFA. By removing all outgoing transitions from the final states we then obtain a DFA 
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that accepts MBPref(P). So, MBPref(P) is also a regular language over alphabet 
£ = 2 AP . Furthermore, note that regular languages are closed under reversal. So, there 
is also a co-deterministic finite automaton A such that L(A) — MBPref(P). Note that 
for the case that the empty word is in MBPref(P) we have P = 0. In what follows we 
simply exclude this trivial case. Then it always holds that Qo H F = 0. 

Our aim is to give a characterization of satisfaction relation between quantum machines 
and regular safety properties in terms of invariants. We choose the following set AP of 
atomic propositions on H ® Hq: 

AP= {H ® span{\q)\q 6 i?}|0 ^ R C Q}. 

It is easy to see that AP satisfies the commutativity condition in Lemmas 3.1, 3.3 and 3.4. 
The commutativity of AP is necessary for the main results in this section. First, we have 
the following: 

PROPOSITION 5.1. Suppose that P is a regular safety property and co-deterministic 
automaton A accepts MBPref(P). If A \= P then 

A®A\=inv(H®span{\q)\qeQ\F}). (5) 

Proof. It is easy to see that the set AP of atomic propositions in H <g> Hq satisfies 
conditions 1) and 2) in Lemma 3.1. We assume that A |= P and want to show Eq. (5). By 
Lemma 3.3 and the definition of I it suffices to show that for any basis state \ipi) 6 / and 
for any q E Q with 

for some q 6 Q n , if |£) G H ® Hq is reachable from \ipi)\q), then 

|f) |= H <8> span{\q)\q e Q - F}. 

Suppose that 

m\q) ^ Ki> v ^ l&> = IO 

for some ai, «2, CKfc £ ^4ct. By the definition of V^'s we obtain: 
\Zi) = (U ai \A))\qi), 



L(U ai \^)) 

q -> \qi), 



\Z2) = (U aa U ai Wi))\q 2 ), 



L(U a2 U ai \^)) 

qi -> ki2)- 



|a) = (f/a fe -f/a 1 |^))l?2), 



L((7 CVfc ...C/ Q1 |V.» 



Then we have: 



7f=|Vi)(f/ ai |Vi»-(^-^a 1 |V'i» 

is a path fragment in A. Since |?/>i) £ we obtain: 

a = L(\ipi))L(U otl ^ i ))...L(U ak ...U ai \'ipi)) e Traces fin (A). 
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It follows from Lemma 3.2 that 

Traces fi„(A) n MBPref(P) = 

because A\= P. Thus, a g MBPref(P) = L(A) and q k <£ F. Consequently, it holds 
that 

|&) - (U ak ...U ai \^i))\q k ) eH®span{\q)\qeQ\F}eAP 

and 

\S) = \Sk)\=H®8pan{\q)\qeQ\F}. 

□ 

It is easy to see that in general the inverse of the above proposition is incorrect. However, 
it holds for the safety properties whose bad prefixes accepted by reversible automata [30]. 

DEFINITION 5.3. A safety property P is said to be reversible if MBPref(P) is ac- 
cepted by a reversible automaton A 

Now we are ready to present one of the main results in this paper. 

THEOREM 5.1. If P is a reversible safety property and A a reversible automaton with 
C(A) = MBPref(P), then A^P if and only if 

A® Ah inv(H ® span{\q)\q G Q\F}). (6) 

PROOF. With Proposition 5.1, we only need to show that Eq. (6) implies A h P- This 
can be done by refutation. If A |= P does not hold, then it follows from Lemma 3.2 that 

Traces /m (A) n MBPref(P) ^ 0. 
Then there is a path fragment tt = \^p )\ipi)...\ip k ) in A such that \ip ) G /and 
a = L(n) - L(\ifo))L(\<p 1 ))...L(\<f n )) G MBPref(P) = L(A). 

First, there are a\, a n G Act such that \<pj+i) = U aj+1 \ipj) for j = 0, 1, n — 1. 
Secondly, by definition there are q^i,q 0} qi, q n G Q such that g_i G Qo> Qn G F and 
the transitions 

L(| V n» i(l¥>n» 

g-i -> go -> gi • •• -> <7n 

hold in A. Since A is reversible, we obtain: 

Qj+i = S ( a j, L (\^j+i))) 
for j = — 1, 0, 1, n. Therefore, <po)l?o) G I an d we nave 

ko)|9o) ^ hl)kl) H> ••• kn-l)|5n-l> ^ \<Pn)\<ln) 

in A ® A. So, |<y5„}|g„) is reachable from |v?o)|<7o)- However, 

L(|Vn)kn» = {i?«).span{|g)|q G R}\q„ e R C Q} 

and 

P| Y = H ® span{\q n )} 

YeL(\ Vn )\q n )) 

% H ® span{\q)\q e Q \ F} 

ACM Transactions on Computational Logic, Vol. 2, No. 3, 09 2001. 



Model-Checking Quantum Systems • 25 



because q^ G F. This means that 

I </?n / | Qn ) ft H ® span{\q)\q £Q\F}. 

Consequently, 

A ® A inv(H ® span{\q)\q e. Q\F}). 

□ 

The above theorem reduces the problem of checking a reversible safety property for the 
quantum automaton A to checking an invariant for the quantum automaton A ® A, for 
which an algorithms was already given in Sec. 4. 

6. MODEL-CHECKING w-REVERSIBLE PROPERTIES 

The results given in the last section can be generalized to a larger class of linear-time 
properties by using reversible Biichi automata. A Biichi automaton is an NFA accepting 

infinite words. Let A = {Q, £, {A \A G £}, Q Q , F) be an NFA. We write £ w for the set of 
uj— words over E, i.e. infinite sequences of elements of E. An word w — A AiA 2 ... G 
E w is accepted by Biichi automaton A if there exists an infinite sequence q , qi, q 2 , ... in 
Q such that q G Q , 

An A } A-i 

<?o -> q\ <?2 ■■■ 

and q n G F for infinitely many n > 0. The language £ w (.A) accepted by Biichi automaton 
A is defined to be the set of oj— words accepted by A. 
First, Proposition 5.1 can be generalized as follows. 

PROPOSITION 6.1. Let P be a linear-time property and A a co-deterministic finite 
state automaton such that C U (A) = (2 AP ) U \ P. Then A \= P implies 

A® A \= pers(H <g> span{\q)\q G Q\F}). 

Proof. By Lemma 3.4, it suffices to show that for any path 

\^)\q) ^ |Ci) ^ |C2) ^ - 
where \ipi) is a basis state of /, 



and g G Qo, there exists to > such that 

|Cn> h H®span{ \q)\q EQ\F}. 

We write: 

Wn) = U an ...U ai \lpi) 

for all n > 1. By the definition of V^'s we have |£„) = |<^ n )|9n) for all n>\, and 

|^) H- 1 bi> H? |^2) H? (7) 
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Therefore, it follows from Eq. (7) that 

a = L(|Vi))£(bi»L(|y>2»... G TYaces(A) C P 

and 

^(2 Ap r\^=£ w (4 

This together with Eq. (8) implies that there is m > such that for n > to, we have 
q n eQ\ F, i.e. 

ICn) = b n >|«n> e ff ® span{\q)\q £ Q \ F}. 

□ 

As in the case of safety properties, the inverse of the above proposition requires that the 
Biichi automaton accepting property P is reversible. So, we have the following general- 
ization of Theorem 5.1. 

THEOREM 6.1. IfP is a linear-time property and A a reversible automaton with (A) 
(2 AP Y \ P, then k^P if and only if 

A® A \= pers(H <g> span{\q)\q G Q\F}). (9) 

PROOF. The "only if part is exactly Proposition 6.1. For the "if part, assume that 
Eq. (9) is correct. We aim at proving A |= P by refutation. If A \£ P, then there exists a 
path 

u ao u ai u a2 

l</>o) -> \<Pl) -> \f2) -> ■■■ 

in A such that \(fo) e I and 

L{\y ))L{\vi))L{\v2))... E (2 AP Y \ P = C^{A). 
Consequently, we have a path 

L(\ va ) L(\ V1 ) L{\ V2 ) 

9-i — > qo — > qi -> ••• 

in A such that q_\ e Q and </j e F for infinitely many i. The assumption that A is 
reversible implies that 

Qj+i = 8{Qj,L(\<Pj+i))) 
for all j > — 1. Thus, by Definition 5.2 we obtain a path 

\fo)\qo) ^° \<pi)\qi) ^ I ^2 > I ^2 ) ^> 2 ... 

in A <g> .4 with \<fo)\qo) € I. but 

L(l^o)ko))i(bi)ki»i(|^>k2»... 

^ pers(H ® span{\q)\q e Q\F} 

since 

1^)1^) ^ if ® sparing G Q\F} 
for infinitely many j. This is a contradiction. □ 
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By the above theorem, we are able to reduce the problem of checking an w— reversible 
property of the quantum automaton A to checking a persistence property of quantum au- 
tomaton A (g)A, which can be further reduced to checking an invariant by using Lemma 3.5. 
Therefore, the problem of checking u— reversible properties of quantum systems can be 
eventually solved by employing the algorithm presented in Sec. 4. 

7. CONCLUSION 

This paper aims at developing effective techniques for model-checking linear-time prop- 
erties of quantum systems. It can be seen as one of the first steps toward to a theoretical 
foundation for (classical) computer-aided verification of engineered quantum systems. The 
main contribution of the paper includes: 

— We define a mathematical framework in which we can examine various linear-time prop- 
erties of quantum systems, such as safety and liveness properties. 

— We present an algorithm for checking invariants of quantum systems. 

— We show that both checking a safety property of a (closed) quantum system recognizable 
by a reversible automaton and checking a linear-time property of a (closed) quantum sys- 
tem recognizable by a reversible Biichi automaton can be done by verifying an invariant 
of a larger system. 

The physical implication of the automata-based approach to model-checking a quantum 
system is very interesting. There are two systems involved in this approach. One of them 
is the quantum system A to be checked. It can be called the object system, and we assume 
that its state space is H . The other system is a classical system whose behavior is described 
by an automaton A. We call it the probe system. The object system and the probe system 
then interact to form the system A ® A. The automaton-based approach allows us to 
check a property of the object system by means of checking an invariant of A £g) A. Note 
that the invariant condition needed to be checked is of the form H <g> X, where X is a 
subspace of the state space of the probe system (see Theorems 5.1 and 6.1). So, only 
the probe system will be examined in checking such an invariant. Obviously, the idea 
of automata-based model-checking coincides with that of indirect quantum measurements 
(see for example [7], Sec. 2.4.6). This interesting physical meaning of automata-based 
approach have been overlooked in the classical case. In the quantum case, it is even more 
interesting to notice that the probe system is a classical system, and thus the problem of 
checking a quantum system is reduced to checking a classical system. 

As is well-known, the most serious disadvantage of model-checking is the state ex- 
plosion problem. This problem should not be very serious in the early time of applying 
model-checking techniques to quantum engineering. As one can imagine, the size of quan- 
tum engineering systems that will be implemented in the near future cannot be very large. 
On the other hand, the errors in the design of these systems will not be caused mainly by 
their large sizes that the designers are unable to manage. Instead, they may be caused by 
the anti-human intuition features of the quantum world that the designers cannot properly 
understand. So, we believe that model-checking techniques based on a solid mathematical 
model of quantum systems will be vital in guaranteeing correctness and safety of quantum 
engineering systems. 

The results achieved in this paper are only a very small step toward to the general purpose 
of model-checking quantum systems, and a lot of important problems are still unsolved. 
Here, we would like to mention a few open problems for further studies: 
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— Non-probabilistic vs probabilistic (atomic) propositions: Only non-probabistic atomic 
propositions are considered in this paper, following the basic idea of Birkhoff-von Neu- 
mann quantum logic [6]. However, quantum mechanics is essentially a statistical theory 
based on quantum measurements. So, more sophisticated model-checking techniques 
for quantum systems should be able to encompass probabilistic information through in- 
corporating checking with the theory of quantum measurements. 

— Closed vs open quantum systems: In this paper, quantum systems are modeled by quan- 
tum automata whose behaviors are described by unitary operators. According a basic 
postulate of quantum mechanics, unitary operators are suited to depict the dynamics 
of closed quantum systems. A more suitable mathematical formalism for evolution of 
open quantum systems that interact with the environment is given in terms of super- 
operators [27] (see chapter 8). So, an interesting topic for further studies is to extend 
the model-checking technique developed in this paper so that it can be applied to quan- 
tum systems modeled by quantum automata with super-operators as their description of 
transitions. 

— Linear-time vs branching-time: The algorithms presented in this paper can only check 
linear-time properties of quantum systems. One may naturally expect to develop model- 
checking techniques for quantum systems that can verify branching-time properties. The 
first step toward such an objective would be to define a logic that can properly specify 
branching-time behaviors of quantum systems. A quantum extension of computation 
tree logic was already proposed by Baltazar, Chadha, Mateus and Sernadas [3], [4]. It 
seems that more research in this direction is in order because the branching notion of 
time for quantum systems is highly related to some foundational problems of quantum 
mechanics, e.g. trajectories [8], decoherent (or consistent) histories [18], that are still 
not well-understood even in the physicists community. 

— Classical vs quantum algorithms: The algorithms for model-checking quantum systems 
developed in this paper are classical. As the progress of quantum engineering, more and 
more complicated quantum systems will be produced, and classical algorithms might 
be too slow for checking their correctness and safety. But the development of quan- 
tum engineering might make that large-scalable and functional quantum computers be 
eventually built, and quantum computer will be widely used in quantum engineering 
just as today's computers are used in today's engineering. An interesting open problem 
would be to design quantum algorithms for model-checking quantum systems (as well 
as classical systems). 
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